NIS2 · AI Exposure Lens · Step 1 of 2
First: confirm your entity classification

NIS2 places different supervisory expectations on essential and important entities. Your classification affects the weight of obligations and potential penalties. Select the description that best fits your organisation.

Jurisdiction check: NIS2 is a directive, not a directly applicable regulation. Your obligations depend on how each Member State has transposed it into national law. If you operate across several EU countries, use this assessment as a group-level exposure lens, then validate country-specific obligations with legal counsel.

NIS2 generally applies to medium and large organisations (50+ employees or €10M+ turnover) in listed essential and important sectors, with some exceptions. Classification should be confirmed against the national law of each relevant Member State.

DORA / EU AI Act Overlap
If your organisation also falls within DORA or deploys AI systems covered by the EU AI Act, AI-related cyber controls may need to satisfy overlapping expectations across operational resilience, AI governance, third-party risk, incident reporting, and management accountability. Treat NIS2 as one layer of the wider AI resilience and governance stack, not as a standalone compliance exercise.
NIS2 · AI Exposure Lens · Directive (EU) 2022/2555

Where does AI sit inside
your NIS2 obligations?

NIS2 requires cybersecurity risk management across network and information systems. Where AI systems, AI-enabled services, foundation model providers, or agentic workflows support those systems, influence operational decisions, or introduce cyber risk, they should be assessed within the NIS2 governance, risk management, incident reporting, and supply-chain security framework.

Note
This tool is an AI-specific exposure lens for NIS2 readiness. It is not a legal determination of NIS2 applicability, entity classification, national transposition requirements, or compliance status. Validate outputs with legal, risk, security, and jurisdiction-specific regulatory counsel.
Status
NIS2 is now a live governance and evidence issue. Member State implementation is uneven, but supervisory expectations are moving from policy design to demonstrable controls, incident readiness, supply-chain visibility, and management-body oversight. AI systems and AI-enabled vendors should be mapped before they become a supervisory, audit, or incident-response gap.
AI Lens
Your NIS2 programme may be mature for traditional cybersecurity, but incomplete for AI-enabled systems, AI vendors, AI-assisted attacks, shadow AI, autonomous workflows, and foundation-model dependencies. Every question is framed around AI-specific exposure within NIS2-relevant cybersecurity obligations — the gaps that emerge when AI systems, AI-enabled services, or agentic workflows are added without corresponding updates to governance, controls, incident response, supply-chain oversight, and evidence.
How to use
Score each question first. Open the evidence panels where the score is weak or where you need to prepare board, audit, or remediation evidence. Best used as a workshop tool: score the current state, open weak evidence panels, export the gap register, then assign owners for the remediation plan.
Cross-border
NIS2 is a directive, not a directly applicable regulation. National transposition, registration requirements, competent authorities, supervisory practices, and enforcement timelines vary by Member State. If you operate across multiple EU jurisdictions, your group-level control framework may still require country-specific validation. The European Commission has taken infringement steps against Member States that failed to fully transpose NIS2.
0 / 10 questions answered
AI-NIS2 Exposure Score
Answer all questions to score
Exposure Level
Critical Material Managed Low / Evidence Ready
Priority Domain
Awaiting assessment
AI-NIS2 Exposure Verdict

Answer all ten questions to generate your exposure verdict.

Board Summary

⚠ AI Supply Chain Exposure — Flagged

Cross-Jurisdiction Risk

NIS2 national transposition is still uneven across EU Member States. If your organisation operates in multiple EU jurisdictions, a strong group-level compliance posture may still require country-specific validation against national law and local competent authority expectations. This is a separate risk from your technical control score.

Priority Remediation Plan — Domains scoring below 6
Questions your Board / CISO / CRO should be able to answer
  • Which AI systems or AI-enabled services support our network and information systems?
  • Which AI vendors or AI-enabled suppliers create material cyber dependency?
  • Where is AI represented in our NIS2 Article 21 risk-management measures?
  • Can we detect and report an AI-originated or AI-assisted significant incident within the required reporting sequence — early warning within 24 hours, notification within 72 hours, final report within one month?
  • Who owns AI cybersecurity risk across business, IT, security, procurement, and legal?
  • Which AI-specific attack vectors have been tested?
  • What evidence would we show an auditor tomorrow?